Block IP permanently after a few failed login attempts

You can share your Lua Scripts with everybody here.
FTP
Site Admin
Posts: 2072
Joined: Tue Sep 29, 2009 6:09 am

Block IP permanently after a few failed login attempts

Post by FTP »

First, enable the anti-hammer option under "Domain > Settings > General Settings > Password & Security > Enable Anti-hammer".

And then insert the following Lua script in the event "OnExceedUSERPASS":

Code: Select all

local ipmasks = c_GetGlobalIPMaskList()
local g_ipmasks = {}
if type(ipmasks) == "table" then
   for _,ipmask in pairs(ipmasks) do
      local temp = {}
      table.insert(temp,ipmask.ip)
      table.insert(temp,ipmask.refuse)
      table.insert(temp,ipmask.comment)
      table.insert(g_ipmasks,temp)
   end
end
table.insert(g_ipmasks,{"%IP",true})
c_SetGlobalIPMaskList(g_ipmasks)
TeamBas
Posts: 12
Joined: Wed Sep 15, 2021 8:59 am

Re: Block IP permanently after a few failed login attempts

Post by TeamBas »

And how can I reverse a ban if I have used the script?
Gallaxial
Posts: 9
Joined: Tue Jun 09, 2020 7:13 pm

Re: Block IP permanently after a few failed login attempts

Post by Gallaxial »

i got the same problem how to revese the BAN can find anywhere
FTP
Site Admin
Posts: 2072
Joined: Tue Sep 29, 2009 6:09 am

Re: Block IP permanently after a few failed login attempts

Post by FTP »

For example, if you want to remove the banned IP "192.168.31.100", you can try the following script:

Code: Select all

local ipmasks = c_GetGlobalIPMaskList()
if type(ipmasks) == "table" then
   for i,ipmask in pairs(ipmasks) do
	if ipmask.ip == "192.168.31.100" then
		table.remove(ipmasks, i)
	end
   end
end

local global_ipmasks = {}
if type(ipmasks) == "table" then
	for _,ipmask in pairs(ipmasks) do
		local temp = {}
		table.insert(temp,ipmask.ip)
		table.insert(temp,ipmask.refuse)
		table.insert(temp,ipmask.comment)
		table.insert(global_ipmasks,temp)
	end
end

c_SetGlobalIPMaskList(global_ipmasks)
DomDis
Posts: 33
Joined: Sat Mar 18, 2023 7:44 pm

Re: Block IP permanently after a few failed login attempts

Post by DomDis »

FTP wrote: Sun Dec 12, 2021 6:50 am For example, if you want to remove the banned IP "192.168.31.100", you can try the following script:

Code: Select all

local ipmasks = c_GetGlobalIPMaskList()
if type(ipmasks) == "table" then
   for i,ipmask in pairs(ipmasks) do
	if ipmask.ip == "192.168.31.100" then
		table.remove(ipmasks, i)
	end
   end
end

local global_ipmasks = {}
if type(ipmasks) == "table" then
	for _,ipmask in pairs(ipmasks) do
		local temp = {}
		table.insert(temp,ipmask.ip)
		table.insert(temp,ipmask.refuse)
		table.insert(temp,ipmask.comment)
		table.insert(global_ipmasks,temp)
	end
end

c_SetGlobalIPMaskList(global_ipmasks)

Can't this be found in one of the settings (GetGlobalIPMaskList) which I hope is Domains, settings,IP Access
DomDis
Posts: 33
Joined: Sat Mar 18, 2023 7:44 pm

Re: Block IP permanently after a few failed login attempts

Post by DomDis »

How do i edit posts

DomDis wrote: Thu Jun 22, 2023 10:09 pm
FTP wrote: Sun Dec 12, 2021 6:50 am For example, if you want to remove the banned IP "192.168.31.100", you can try the following script:

Code: Select all

local ipmasks = c_GetGlobalIPMaskList()
if type(ipmasks) == "table" then
   for i,ipmask in pairs(ipmasks) do
	if ipmask.ip == "192.168.31.100" then
		table.remove(ipmasks, i)
	end
   end
end

local global_ipmasks = {}
if type(ipmasks) == "table" then
	for _,ipmask in pairs(ipmasks) do
		local temp = {}
		table.insert(temp,ipmask.ip)
		table.insert(temp,ipmask.refuse)
		table.insert(temp,ipmask.comment)
		table.insert(global_ipmasks,temp)
	end
end

c_SetGlobalIPMaskList(global_ipmasks)
Can I remove the ban that was done in teh events ... The post sez to run this BUT where does one run this ????

And how can I reverse a ban if I have used the script?
For example, if you want to remove the banned IP "192.168.31.100", you can try the following script:

local ipmasks = c_GetGlobalIPMaskList()
if type(ipmasks) == "table" then
for i,ipmask in pairs(ipmasks) do
if ipmask.ip == "192.168.31.100" then
table.remove(ipmasks, i)
end
end
end

local global_ipmasks = {}
if type(ipmasks) == "table" then
for _,ipmask in pairs(ipmasks) do
local temp = {}
table.insert(temp,ipmask.ip)
table.insert(temp,ipmask.refuse)
table.insert(temp,ipmask.comment)
table.insert(global_ipmasks,temp)
end
end

c_SetGlobalIPMaskList(global_ipmasks)
FTP
Site Admin
Posts: 2072
Joined: Tue Sep 29, 2009 6:09 am

Re: Block IP permanently after a few failed login attempts

Post by FTP »

Yes, your above script is correct. And if you want to handle the domain level rules, just replace the following APIs:

c_GetGlobalIPMaskList() ===> c_GetIPMaskList("DomainName")
c_SetGlobalIPMaskList(ipmasks) ===> c_SetIPMaskList("DomainName", ipmasks)
DomDis
Posts: 33
Joined: Sat Mar 18, 2023 7:44 pm

Re: Block IP permanently after a few failed login attempts

Post by DomDis »

FTP wrote: Fri Jun 23, 2023 1:42 pm Yes, your above script is correct. And if you want to handle the domain level rules, just replace the following APIs:

c_GetGlobalIPMaskList() ===> c_GetIPMaskList("DomainName")
c_SetGlobalIPMaskList(ipmasks) ===> c_SetIPMaskList("DomainName", ipmasks)
Domain level rules - I'm not sure I know what they are

Will these IPs appear in Domains, settings, IP Access so I can remove them manually if I choose to (or is that what you are talking bout above)?
DomDis
Posts: 33
Joined: Sat Mar 18, 2023 7:44 pm

Re: Block IP permanently after a few failed login attempts

Post by DomDis »

FTP wrote: Fri Jun 23, 2023 1:42 pm Yes, your above script is correct. And if you want to handle the domain level rules, just replace the following APIs:

c_GetGlobalIPMaskList() ===> c_GetIPMaskList("DomainName")
c_SetGlobalIPMaskList(ipmasks) ===> c_SetIPMaskList("DomainName", ipmasks)
Yeah I tried that and I don't think It worked. all I ever see in the logs is that the IP is Temporarily banned. It never get permanently Band.

Code: Select all

[02] Fri, 23 Jun 2023 20:29:32 (0000006) Failed to exchange the keys.
[02] Fri, 23 Jun 2023 20:29:33 (0000006) Closed session, disconnected from 180.101.88.235
[02] Fri, 23 Jun 2023 20:29:48 (0000010) Connected from 180.101.88.235 (local address 172.16.107.47, port 22)
[02] Fri, 23 Jun 2023 20:29:48 (0000011) Connected from 180.101.88.235 (local address 172.16.107.47, port 22)
[02] Fri, 23 Jun 2023 20:30:10 (0000012) Connected from 180.101.88.235 (local address 172.16.107.47, port 22)
[02] Fri, 23 Jun 2023 20:30:10 (0000013) Connected from 180.101.88.235 (local address 172.16.107.47, port 22)
[01] Fri, 23 Jun 2023 20:30:12 (0000013) The user root started SSH authentication.
[01] Fri, 23 Jun 2023 20:30:12 (0000012) The user root started SSH authentication.
[01] Fri, 23 Jun 2023 20:30:12 (0000013) Failed in user/password authentication.
[01] Fri, 23 Jun 2023 20:30:12 (0000012) Failed in user/password authentication.
[02] Fri, 23 Jun 2023 20:30:12 IP address:180.101.88.235 is blocked for 10800 seconds.
[02] Fri, 23 Jun 2023 20:30:12 (0000012) Closed session, disconnected from 180.101.88.235
[01] Fri, 23 Jun 2023 20:30:13 (0000013) Failed in user/password authentication.
[01] Fri, 23 Jun 2023 20:30:13 (0000013) Failed in user/password authentication.
[01] Fri, 23 Jun 2023 20:30:13 The lua script of event OnExceedUSERPASS executed successfully.
[02] Fri, 23 Jun 2023 20:30:13 (0000013) Closed session, disconnected from 180.101.88.235
[02] Fri, 23 Jun 2023 20:30:18 (0000010) Failed to exchange the keys.
[02] Fri, 23 Jun 2023 20:30:18 (0000011) Failed to exchange the keys.
[02] Fri, 23 Jun 2023 20:30:18 (0000010) Closed session, disconnected from 180.101.88.235
[02] Fri, 23 Jun 2023 20:30:18 (0000011) Closed session, disconnected from 180.101.88.235
[02] Fri, 23 Jun 2023 20:30:32 (0000000) Closed session, disconnected from 180.101.88.235. The reason is: The IP 180.101.88.235 is banned temporarily.
[02] Fri, 23 Jun 2023 20:30:32 (0000000) Closed session, disconnected from 180.101.88.235. The reason is: The IP 180.101.88.235 is banned temporarily.
[02] Fri, 23 Jun 2023 20:30:56 (0000000) Closed session, disconnected from 180.101.88.235. The reason is: The IP 180.101.88.235 is banned temporarily.
[02] Fri, 23 Jun 2023 20:30:57 (0000000) Closed session, disconnected from 180.101.88.235. The reason is: The IP 180.101.88.235 is banned temporarily.
[02] Fri, 23 Jun 2023 20:31:18 (0000000) Closed session, disconnected from 180.101.88.235. The reason is: The IP 180.101.88.235 is banned temporarily.
[02] Fri, 23 Jun 2023 20:31:18 (0000000) Closed session, disconnected from 180.101.88.235. The reason is: Th
I receive an email from the script;

Code: Select all

GDCFTP (180.101.88.235) SSH Security WARNING Event: root has performed a OnExceedUSERPASS event
NO
NoReply <NoReply@GDCFTP.GDC.COM>
6/23/2023 8:30 PM
To: Domenic.disorbo@gdc.com <Domenic.disorbo@gdc.com>
Dear Domenic.disorbo@gdc.com

The FTP user > root < from the following IP 180.101.88.235 has just produced an SSH Security WARNING Event: OnExceedUSERPASS (Fri,  Jun 23, 2023 08:30 PM). Banning access for this IP

and here is the SSH event code OnExceedUSERPASSWORD

Code: Select all

--                  [1]           [2]                [3]                 [4]            [5]            [6]
--  c_SendMail(string strTo,string strSubject,string strPlainText,string strAttach,string strSmtpName,bool bHTML)
--    Parameters
--      [1]string the receiver's email addresses, multiple email addresses can be separated by a comma
--      [2]string mail subject
--      [3]string mail content
--      [4]string attach file path
--      [5]string the smtp configuration name
--      [6]bool mail content is HTML?, true=yes, false=no.
--      Return Values
--        [1]bool return true if email is sent successfully, otherwise return false
--
-- To Write to the Admin Log 
-- c_AddAdminLog("Starting " .. event_type .. " " .. event_action .. " OnFileDownLoad",1)

local user = c_GetUser("%Domain","%Name")   
-- Original but I want to notify emails addrs in the user.note_memo - local user_email = user.note_email 
-- Variable not available if user does authenticate -- local user_memo = user.note_memo
local event_type = "SSH Security WARNING Event:"
local event_action = "OnExceedUSERPASS"

--if user_memo == nil or user_memo == "" then 
  local user_memo = "Domenic.disorbo@gdc.com"
--end

-- No send this to the FTP administrator 
-- local mSendTo = user_memo
local mSendTo = "Domenic.disorbo@gdc.com"   
local mSalutation = user_memo.gsub(user_memo,",", ", ")
local mDate = os.date("%a,  %b %d, %Y %I:%M %p")
local mSubject = "GDCFTP  (%IP) ".. event_type .. " %Name has performed a " .. event_action .. " event"
local mBody ="Dear " .. mSalutation .. "\n\n The FTP user > %Name < from the following IP %IP has just produced an " .. event_type .. " " .. event_action..  " (" .. mDate .. "). Banning access for this IP"    
local mSMTP = "Big Mountain Mail"


if mSendTo ~= nil and MSendTo ~= "" then 
   c_SendMail(mSendTo, mSubject, mBody, "", mSMTP)
   -- To Write to the Admin Log 
   -- c_AddAdminLog("     Notifying " .. mSendTo .. " of " .. event_type .. " " .. event_action, 1)
end

--Ban the IP 

--local ipmasks = c_GetGlobalIPMaskList()
-- handle the domain level rules
local ipmasks = c_GetIPMaskList("DomainName") 
local g_ipmasks = {}
if type(ipmasks) == "table" then
   for _,ipmask in pairs(ipmasks) do
      local temp = {}
      table.insert(temp,ipmask.ip)
      table.insert(temp,ipmask.refuse)
      table.insert(temp,ipmask.comment)
     table.insert(g_ipmasks,temp)
   end
end
table.insert(g_ipmasks,{"%IP",true})
--c_SetGlobalIPMaskList(g_ipmasks)
--handle the domain level rules
c_SetIPMaskList("DomainName", ipmasks) 

AlsoI think you missed answering a couple of my question.

Will this script add the IP to Administrator, Settings, IP Access and or will it add to Domain, Settings, IP access If the answer is NO then How can I do make do that? Being able to visually look on the admin client to un-ban an IP is so much easier than running a script (you never answer one of my previous question How do I run a script on the server )

Sure I found this in the forum but where the heck or how the heck do you run it

Code: Select all

And how can I reverse a ban if I have used the script?
For example, if you want to remove the banned IP "180.101.88.235", you can try the following script:

local ipmasks = c_GetGlobalIPMaskList()
if type(ipmasks) == "table" then
   for i,ipmask in pairs(ipmasks) do
	if ipmask.ip == "180.101.88.235" then
		table.remove(ipmasks, i)
	end
   end
end

local global_ipmasks = {}
if type(ipmasks) == "table" then
	for _,ipmask in pairs(ipmasks) do
		local temp = {}
		table.insert(temp,ipmask.ip)
		table.insert(temp,ipmask.refuse)
		table.insert(temp,ipmask.comment)
		table.insert(global_ipmasks,temp)
	end
end

c_SetGlobalIPMaskList(global_ipmasks)

So this post has 3 question

1. Will this script add the IP to Administrator, Settings, IP Access
2. will it add to Domain, Settings, IP access
3. If the answer is NO to 1 or 2 or both then; can the script add entries to those tables ?

Oh nuts I just found Administrator, General Settings and an IP access tab - Whats that and should I be populating that instead or in addition to the above?


OK now we are up to 4 Questions

1. Will this script add the IP to Administrator, Settings, IP Access
2. will it add to Domain, Settings, IP access
3. If the answer is NO to 1 or 2 or both then; can the script add entries to those tables ?
4. Should I be adding to Administrator, General Settings and an IP access tab instead or in addition to the above?
FTP
Site Admin
Posts: 2072
Joined: Tue Sep 29, 2009 6:09 am

Re: Block IP permanently after a few failed login attempts

Post by FTP »

You need to replace the string "DomainName" into your real domain name, or just use the variable "%Domain" for the event script. And here are the Lua scripts for adding domain/admin IP rules:

Code: Select all

--add domain IP rules
local ipmasks = c_GetIPMaskList("%Domain")
local g_ipmasks = {}
if type(ipmasks) == "table" then
   for _,ipmask in pairs(ipmasks) do
      local temp = {}
      table.insert(temp,ipmask.ip)
      table.insert(temp,ipmask.refuse)
      table.insert(temp,ipmask.comment)
      table.insert(g_ipmasks,temp)
   end
end
table.insert(g_ipmasks,{"%IP",true})
c_SetIPMaskList("%Domain", g_ipmasks)

Code: Select all

--add admin IP rules
local ipmasks = c_GetAdminIPMaskList()
local g_ipmasks = {}
if type(ipmasks) == "table" then
   for _,ipmask in pairs(ipmasks) do
      local temp = {}
      table.insert(temp,ipmask.ip)
      table.insert(temp,ipmask.refuse)
      table.insert(temp,ipmask.comment)
      table.insert(g_ipmasks,temp)
   end
end
table.insert(g_ipmasks,{"%IP",true})
c_SetAdminIPMaskList(g_ipmasks)
Post Reply